Guide to Secure Group Chat and Conferencing Tools

With teams continuing to work remotely during COVID-19, we are all facing questions regarding the security of our communication with one another: Which communication platform or tool is best to use? Which is the most secure for holding sensitive internal meetings? Which will have adequate features for online training sessions or remote courses without compromising the privacy and security of participants?

Front Line Defenders presents this simple overview which may help you choose the right tool for your specific needs. In this guide we provide:

• Criteria for selecting the tools or platforms
• More information related to each tool/service we listed in this guide
• Video calls, webinar or online training recommendations

Download PDF of the flow chart

Note:

• With end-to-end encryption (e2ee), your message gets encrypted before it leaves your device and only gets decrypted when it reaches the intended recipient’s device. Using e2ee is important if you plan to transmit sensitive communication, such as during internal team or partners meetings.
• With encryption to-server, your message is not encrypted for its entire journey. It is encrypted before it leaves your device, but the service you are using (like Google Meet or Microsoft Teams) decrypts it for processing and re-encrypts it again before sending to recipient(s). That means someone who has access to servers could potentially intercept your messages. Having encryption to-server is OK if you fully trust the server.

Why Zoom or other platforms/tools are not listed here: There are many platforms which can be used for group communication. In this guide we focused on those we think will deliver good user experiences and offer the best privacy and security features. Of course none of the platforms can offer 100% privacy or security as in all communications, there is a margin of risk. We have not included tools such as Zoom, Skype, Telegram, WhatsApp, etc. in this guide, as we believe that the margin of risk incurred whilst using them is too wide, and therefore Front Line Defenders does not feel comfortable recommending them.

Surveillance and behaviour: Some companies like Facebook, Google, Apple and others regularly collect, analyse and monetize information about users and their online activities. Most, if not all, of us are already profiled by these companies to some extent. If the communication is encrypted to-server owners of the platform may store this communication. Even with end-to-end encryption, communication practices such as location, time, whom you connect with, how often, etc. may still be stored. If you are uncomfortable with this data being collected, stored and shared, we recommended refraining from using services by those companies.

The level of protection of your call depends not only on which platform you choose, but also on the physical security of the space you and others on the call are in and the digital protection of the devices you and others use for the call.

See also:

• Physical, emotional and digital protection while using home as office in times of COVID-19
• Videoconferencing Guide

Caution: Use of encryption is illegal in some countries. You should understand and consider the law in your country before deciding on using any of the tools mentioned in this guide.

Criteria for selecting the tools or platforms

Before selecting any communication platform, app or program it is always strongly recommended that you research it first. Below we list some important questions to consider:

• Is the platform mature enough? How long has it been running for? Is it still being actively developed? Does it have a large community of active developers? How many active users does it have?
• Does the platform provide encryption? Is it end-to-end encrypted or just to-server encrypted?
• In which jurisdiction is the owner of the platform and where are servers located? Does this pose a potential challenge for your or your partners?
• Does the platform allow for self-hosting?
• Is the platform open source? Does it provide source code to anyone to inspect?
• Was the platform independently audited? When was the last audit? What do experts say about the platform?
• What is the history of the development and ownership of the platform? Have there been any security challenges? How have the owners and developers reacted to those challenges?
• How do you connect with others? Do you need to provide phone number, email or nickname? Do you need to install a dedicated app/program? What will this app/program have access to on your device? Is it your address book, location, mic, camera, etc.?
• What is stored on the server? What does the platform's owner have access to?
• Does the platform have features needed for the specific task/s you require?
• Is the platform affordable? This needs to include potential subscription fees, learning and implementing, and possible IT support needed, hosting costs, etc.

More information related to each tool/service we listed in this guide

Note: all the listed platforms, apps and programs below should work on Windows, MacOS, Linux, Andoid and iOS unless otherwise noted. Depending on the operating system, some functionality may be limited.

Signal - https://signal.org/

• Owner non-profit organisation: Signal Technology Foundation / USA
• Encryption: end-to-end
• Features: voice / video / text; disappearing messages; voice memo; sending files or photos;
• License: Free and open source (GNU General Public License v3.0)
• Hosted on Signal's server
• Cost: free
• Participants limits: voice/video with up to 8 people / text unlimited
• Account required: yes, registration with phone number
• Access with: app on the phone or program on computer
• Notes: To communicate with others you need to let them know your phone number. We recommend that you use security settings including Signal PIN, Registration Lock, Screen Lock, and Enable Screen Security in Privacy settings. Signal publishes transparency report

Delta Chat - https://delta.chat/

• Owner commercial company: Merlinux GmbH / Germany
• Encryption: end-to-end
• Features: text; voice memo; sending files or photos;
• License: Free and open source (GNU General Public License v3.0)
• Hosting: works with any email server (IMAP access needed)
• Cost: free
• Participant limits: unlimited
• Account requirement: yes, any email account with IMAP support.
• Access with: app on the phone or program on computer
• Notes: To communicate with others you need to let them know your email.

Element - https://element.io

• Owner commercial company: New Vector Ltd. / USA
• Encryption: end-to-end
• Features: voice / video / text (see notes below); public rooms; sending files or photos; integrates with Jitsi Meet and other communication platforms; screen sharing;
• License: Free and open source (Apache License 2.0)
• Hosting: Self hosted and 3rd party hosted (on matrix.org server)
• Cost: free or paid
• Participant limits: voice 1-to-1 / video 1-to-1 / text unlimited
• Account requirement: yes, registration required - no need to add email or phone number
• Access with: app on the phone or program on computer
• Notes: Voice/video calls are only available from the phone; There is no group voice/video calls available; It is always important to check if end-to-end encryption is activated. This is indicated by a black shield on chat lead icon. You can manually activate it in the chat settings. Element was previously known as Riot. It is build on Matrix.org protocol.

Wire - https://wire.com/

• Owner commercial company: Wire Swiss GmbH / Switzerland
• Encryption: end-to-end
• Features: voice / video / text; disappearing messages; voice memo; sending files or photos;
• License: Free and open source (client: GNU General Public License v3.0, server: GNU Affero General Public License v3.0)
• Hosted: on Wire's server
• Cost: free for personal use, monthly per account fee otherwise
• Participant limits: Voice up to 25 / Video up to 12 / Text up to 500 participants
• Account requirement: yes, email or phone number registration. Any participant can create communication group.
• Access with: app on the phone, program or browser on computer.

Jitsi Meet - https://jitsi.org/jitsi-meet/

• Owner commercial company: 8x8 / USA
• Encryption: to-server
• Features: voice / video / text; screen-sharing, depending on the server configuration: meetings recording; live-streaming (on YouTube);
• License: Free and open source (server: Apache License 2.0)
• Hosting: Self hosted and 3rd party hosted. See list of publicly accessible trusted servers we recommend in flowchart above.
• Cost: free
• Participant limits: dependent on the server configuration, often 75 participants
• Account requirement: not required. Any participant can start a call by simply opening a link.
• Access with: app on the phone, browser or program on computer
• Notes: Because Jitsi Meet is using encryption to-server, it is important to use a trusted server. We listed above some of the servers we consider trustful. See large list of community-run instances - research before using any of them, do not assume that all of them are trustworthy.
  You can host Jitsi Meet on your own server. Jitsi Meet is working on introducing end-to-end encryption soon. On some servers you may see "Phone in" option, note that those are done by regular non-encrypted calls. You can additionally use the password protect feature for joining a call. See our guide on using Jitsi Meet for safe communications

BigBlueButton - https://bigbluebutton.org/

• Owner commercial company: BigBlueButton Inc. / USA
• Encryption: to-server
• Features: voice / video / text; presentation sharing / screen-sharing / whiteboard / shared notes / breakout rooms / call recording
• License: Free and open source (server: GNU Lesser General Public License v3.0)
• Hosting: Self hosted
• Cost: free
• Participant limits: depends on server configuration, typically 150 maximum
• Account requirement: yes - for moderator with email registration, no - for participants; only moderator can create a meeting/training room.
• Access with: browser on the phone and computer
• Notes: BBB is a software that can be installed on a server. It was specially designed for online training sessions and is packed with lots of great features specially for this (see tutorials for participants and moderators)

Whereby - https://whereby.com/

• Owner commercial company: Video Communication Service AS / Videonor / Norway
• Encryption: end-to-end (for max 4 participants) / to-server (for more participants)
• Features: voice / video / text / screen sharing / call recording
• License: proprietary
• Hosted: on Whereby's server
• Cost: free (for max 4 participants) / monthly subscription (for more participants)
• Participant limits: 50 (dependent on subscription)
• Account requirement: yes, for moderator; only moderator can setup and start a meeting
• Access with: app on the phone or program on computer

Blue Jeans - https://www.bluejeans.com/

• Owner commercial company: BlueJeans Network (Verizon) / USA
• Encryption: to-server
• Features: voice / video / text / meeting recordings;
• License: proprietary
• Hosted: on Blue Jeans' server
• Cost: monthly fee
• Participant limits: 100 (dependent on subscription) 
• Account requirement: yes - moderator (registration with email), participants - no need
• Access with: app on phone, browser on computer, phone call

GoToMeeting - https://www.gotomeeting.com/

• Owner commercial company: LogMeIn Inc / USA
• Encryption: to-server
• Features: voice / video / text (limited) / screen sharing / call recording
• License: proprietary
• Hosted: on GoToMeeting's server
• Cost: monthly fee
• Participant limits: 3000 (dependent on subscription)
• Account requirement: yes - moderator/admin (registration with email), participants - no need
• Access with: app on phone, program or browser on computer, phone call

Facetime / iMessage - https://www.apple.com/ios/facetime

• Owner commercial company: Apple / USA
• Encryption: end-to-end
• Features: voice / video / text / voice memos / files transfer
• License: proprietary
• Hosted: on Apple's servers
• Cost: free
• Participant limits: 32 (not in all regions)
• Account requirement: yes, email and phone number registration. Any participant can create a communication group.
• Access with: app on phone and computer
• Notes: Facetime / iMessage will only work from Apple devices like iPhone, Mac Book or iPad. Apple may keep records of some information about the communication. Apple publishes a transparency report.

Google Meet - https://meet.google.com/

• Owner commercial company: Google LLC / USA
• Encryption: to-server
• Features: voice / video / text / screen sharing / call scheduling / video sharing / background noise filtering
• License: proprietary
• Hosted on Google's servers
• Cost: free
• Participants limits: 250 for Google Workspace accounts, 100 for free accounts
• Account required: yes, moderator needs to have Google account, participants - no need; only moderator can create a meeting room.
• Access with: app from phone, browser from computer
• Notes: Google may record some information from (since it uses to-server encryption) and about the communications. Google publishes a transparency report.

Duo - https://duo.google.com/

• Company: Google LLC / USA
• Encryption: end-to-end
• Features: voice / video
• License: proprietary
• Hosted on Google's servers
• Cost: free
• Participant limits: 12, aiming for 32
• Account: yes - phone number
• Access: app
• Notes: Duo only works from the phone (both Android and iOS). It is optimised for low bandwidth. Google may record some information about the communication.

Microsoft Teams - https://teams.microsoft.com

• Owner commercial company: Microsoft / USA
• Encryption: to-server
• Features: voice / video / text both 1-on-1 and group; topic channels; integration with office suite, emails, calendars and scheduling support across timezones; file storage; screen share with mouse control, polls, background change, sending files and multimedia ;
• License: proprietary
• Hosting: hosted on Microsoft's servers
• Cost: free and paid versions
• Participant limits: 20 in video call, 300 in a text chat (see Limits and specifications: https://docs.microsoft.com/en-us/microsoftteams/limits-specifications-teams)
• Account requirement: yes, participants need to register accounts. There is an option to join as a guest if you've been invited by a registered participant, but some functions are limited.
• Access with: app on the phone or program on computer
• Notes: Microsoft may record some information from (since it uses to-server encryption) and about the communications. Microsoft publishes a transparency report.

Video calls, webinar or online training recommendations

Video calls recommendations: In the current situation you will undoubtedly find yourself organizing or participating in many more video calls than before. It may not be obvious to everyone how to do it securely and without exposing yourself and your data to too much risk:

• Assume that when you connect to talk your camera and microphone may be turned on by default. Consider covering your camera with a sticker (making sure it doesn't leave any sticky residue on the camera lens) and only remove it when you use the camera.
• You may not want to give away too much information on your house, family pictures, notes on the walls or boards, etc. Be mindful of the background, who and what is also in the frame aside from yourself? Test before the call by, for example, opening meet.jit.si and click on GO button to get to a random empty room with your camera switched on to see what is in the picture. Consider clearing your background of clutter.
• Also be mindful who can be heard in the background. Maybe close the door and windows, or alert those sharing your space about your meeting.
• Video call services may collect information on your location and activity, consider using a VPN (see Physical, emotional and digital protection while using home as office in times of COVID-19 guide).
• It is best to position your face so your eyes are more or less at the upper third of the picture without cutting off your head. Unless you do not want to reveal your face, do not sit with your back to a light or a window. Daylight or a lamp from the front is the best. Stay within the camera frame. You may want to look into the lens from time to time to make "eye contact" with others. If you are using your cellphone, rest it against a steady object (e.g. a pile of books) so that the video picture remains stable.
• You may want to mute your microphone to prevent others hearing you typing notes or any background noise as it can be very distracting to others on the call.
• If the internet connection is slow you may want to switch off your camera, pause other programs, mute the microphone and ask others to do same. You may also want to try sitting closer to the router, or connecting your computer directly to the router with an ethernet cable. If you share internet connection with others, you may ask them to reduce extensive use of internet for the duration of your call.
• It it very tempting to multitask especially during group calls. But you may very soon realise that you are lost in the meeting and others may realize this.
• If this is a new situation for you or you are using a new calling tool, you may want to give yourself a few extra minutes to learn and test it prior to the scheduled meeting to get familiar with options like turning on/off the camera and the microphone, etc.
• If possible, prepare and test a backup communication plan in case you will have trouble connecting with others. For example, adding them to a Signal group so you can still text chat or troubleshoot problems on the call. Sometimes it helps to have an alternate browser installed on your computer or app on the phone to try connecting with those.

If you would like to organise a webinar or online training, you can use tools outlined above in the group communication. Some of best practices include:

• Make sure that you know who is connected. If this is needed check the identities of all people participating by asking them to speak. Do not assume you know who is connected only by reading assigned names.
• Agree on ground-rules, like keeping cameras on/off, keeping microphone on/off when one is not speaking, flagging when participants would like to speak, who will be chairing the meeting, who will take notes - where and how will those notes be written and then distributed, is it ok to take screenshots of a video call, is it ok to record the call, etc.
• Agree on clear agendas and time schedules. If your webinar is longer than one hour, it is probably best to divide it into clear one-hour sessions separated by some time agreed with participants, so they have time to have a short break. Plan for the possibility that not all participants will return after a break. Have alternative methods to reach out to them to remind them to return, like Signal/Wire/DeltaChat contacts for them.
• It is easiest to use a meeting service that participants connect to using a browser without a need to register or install a special program, one that also gives the webinar organiser the ability to mute microphones and close cameras of participants.
• Prior to the call, check with all participants whether they have particular needs, such as if they are deaf or hard of hearing, if they are visually impaired or blind, or any other conditions which would affect their participation in the call. With this in mind, ensure that the selected platform will accommodate these needs and to be sure, test the platform beforehand. Simple measures can also improve inclusion and participation in your calls, such as turning on cameras when possible, as it can allow for lip-reading.
• Encourage all participants to speak slowly and to avoid jargon where possible, as the working language of the call is most likely not everyone's mother tongue language. Naturally, there will be moments of silences and pauses, embrace them. They can help to support understanding and can be helpful for participants who are hard of hearing, interpreters and will also aid assistive technology to pick up words correctly.